Improper access control in Nextcloud Social app allowed to read posts of any user

The Social App (apps.nextcloud.com/apps/social) does not validate the server TLS certificate for connections to other ActivityPub servers.

Thursday, 19 November 2020, 12:53 GMT
These connections are used to retrieve the public key for a user or posting a message to another ActivityPub server.
The public key for a user is used to validate the ActivityPub user.

The vulnerable code is:

on github


The initRequest method disables verifying of the peer’s certificate by setting CURLOPT_SSL_VERIFYPEER to FALSE.

This code is called from CurlService.php

check this one also

This issue has been tested on Nextcloud version version 19.0.0.12 with Social version 0.3.1.

Impact

An attacker can perform a man-in-the-middle attack by impersonating the victim server by using a self-signed TLS certificate.

The attacker would have to be in a privileged network position between the Nextcloud instance and the target ActivityPub server.

Solution:

Update to any version up to 0.3.1